CiscoUmbrella-AddIpToDestinationList
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook creates a team notification and once acted on team notification it adds the IP to Cisco Cloud Security's destination list and also add's comment to incident. For more details, click here.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CiscoUmbrella |
| Source | View on GitHub |
Additional Documentation
📄 Source: CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
- Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken.
- Adds an IP to the destination list chosen in the adaptive card.
- Changes incident status and severity depending on the action chosen in the adaptive card.
- Adds comment to the incident with information about the actions taken.
Prerequisites
- Login to Cisco Cloud Security dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate "Key Scope" with Read/Write permission. Store "Api Key" and "Key Secret" to a safe place. This "Api Key" is a "Client Id" and "Key Secret" is a "Secret" used for this Playbook.
- Store the "Api Key" and "Key Secret" from previous step to Key vault Secrets.
- To send notification to Microsoft Teams, Teams group id and channel id is needed at the time of playbook creation.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here
- Teams Group Id: Id of the Teams Group where the adaptive card will be posted
- Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
- Keyvault name: Name of the key vault where secrets are stored.
- Cloud Security API Client Id Key Name: Name of the Secrets field from Keyvault where Cisco Cloud Security "API Key" value is stored.
- Cloud Security API Secret Key Name: Name of the Secrets field from Keyvault where Cisco Cloud Security "Key Secret" value is stored.
- Host End Point: Default is "api.umbrella.com" and is used for any API call to Cisco Cloud Security REST API's.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configurations in Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident with a malicious IP. In the Entity mapping section of the analytics rule creation workflow, malicious IP should be mapped to Address identifier of the IP entity type. Check the documentation to learn more about mapping entities.
- Configure the automation rules to trigger the playbook.
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role.)
d. Assign access policy on key vault for Playbook to fetch the secret key
- Select the Key vault resource where you have stored the secret
- Click on Access policies Blade
- Click on Create
- Under Secret permissions column , Select Get , List from "Secret Management Operations"
- Click next to go to Principal tab and choose your deployed playbook name
- Click Next leave application tab as it is .
- Click Review and create
- Click Create
References
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊